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(57) Abstract 

The invention relates to a procedure for the control of applications stored in a subscriber identity module in a data communication 
system comprising a data communication network (4), a terminal device (MS) connected to the data communication network, a subscriber 
identity module (SIM) connected to the terminal device and containing a stored application that makes use of the data communication 
network and is used by means of the terminal device, and an application control server (1) connected to the data communication network. 
In an embodiment of the invention, a key list comprising one or more application-specific keys is stored in the subscriber identity module 
(SIM). A corresponding list is also stored in the application control server, which takes care of the control of applications stored in subscriber 
identity modules. The application stored in the subscriber identity module is activated and/or closed by using the key list. 
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PROCEDURE FOR THE CONTROL OF APPLICATIONS STORED IN A 
SUBSCRIBER IDENTITY MODULE 

The present invention relates to a procedure 
as defined in the preamble of claim 1 for verifying 
5 the rights relating to the control of keys to applica- 
tions stored in a subscriber identity module and to 
the use of such applications. 

With the development of mobile communication 
networks, especially GSM networks (GSM, Global System 

10 for Mobile Communications), the services offered 
through them develop as well. Especially in applica- 
tions making use of mobile communication networks and 
requiring a high level of data security, e.g. in pay- 
ments for services, ordering, order confirmations, 

15 payment orders, bank services, etc., problems are en- 
countered regarding safe application-specific control 
of keys and billing of license fees for operator- 
independent services. The problem is accentuated by 
the fact that subscriber identity modules used in GSM 

2 0 terminals are manufactured by several enterprises and 
that there are many companies offering applications 
and several operators delivering subscriber identity 
modules to customers. In addition, the applications 
used to provide services in the GSM network are often 

25 produced by outside software suppliers or equivalent, 
which means that the licenses for the applications be- 
long to the software suppliers. 

If a license fee is to be charged for the use 
of an application, it is necessary to carefully follow 

30 the use of the application and define the limits wit- 
hin which the application may be used. For this purpo- 
se no solution has been presented before, at least no 
solution that allows centralised control of the 
subscriber identity modules and the passwords relating 

35 to the applications stored in them. 
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The object of the present invention is to 
eliminate the drawbacks described above. 

A specific object of the present invention is 
to produce a new type of procedure which is applicable 
5 for the control of keys to applications making use of 
the subscriber identity module and for the control of 
license agreements concerning the use of such applica- 
tions and which can be easily implemented in a centra- 
lised form independent of different suppliers. 
10 A further object of the present invention is 

to produce a procedure with a high level of data secu- 
rity that allows flexible and reliable safeguarding of 
the interests of operator, module manufacturer, appli- 
cation developers and users of applications. 
15 As for the features characteristic of the in- 

vention, reference is made to the claims. 

In conjunction with the present procedure for 
the control of applications stored in a subscriber 
identity module, the data communication system prefe- 
20 rably comprises a data communication network and a 
terminal device connected to the data communication 
network. Preferably the data communication network is 
a GSM network and the terminal device is a GSM te- 
lephone. The GSM telephone is preferably provided with 
25 a subscriber identity module containing an application 
stored in it, which utilises the data communication 
network and is used via the terminal device for bank 
or other services available. The data communication 
system also comprises an application control server 
30 (1) connected to the data communication network. The 
application control server is preferably a computer or 
equivalent which is provided with means for setting up 
a connection to the data communication network and 
with software for implementing the required applica- 
35 tions. The software is preferably managed by service 
providers or especially by data communication suppli- 
ers providing management services. 
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According to the invention, a key list com- 
prising one or more application-specific keys is sto- 
red in the subscriber identity module. The key list is 
preferably linked or connected with the subscriber 
5 identity module by using a unique identifier corres- 
ponding to the module. A corresponding list is also 
stored in the application control server, and the app- 
lication stored in the subscriber identity module is 
activated and/or closed using the key list. 
10 Thus, in the procedure of the invention, sto- 

red on a smart card (SIM card) in the mobile station 
is a list of keys comprising the keys K(l), K(2), 
K(n) and KA(1) and KA(2) needed for activating or clo- 
sing different applications on the card. The SIM card 
15 or subscriber identity module preferably also contains 
modules for activating and closing the application. In 
conjunction with manufacture, the SIM card has been 
initialised with a security module in a known manner. 
The activating/closing module is used to ensure that 
20 the application, such as electronic signature utili- 
sing the smart card, can be activated/closed by the 
key control system if necessary. Thus, the procedure 
of the invention implements application-specific key 
control in addition to the previously known SIM card 
25 key control system. 

The application-specific key control system 
knows the keys needed in an application or applica- 
tions, and these keys need not be known to the mobile 
communication operator's key control system. The app- 
30 lication-specif ic key control system of the invention 
can be separated from the operators' key control sys- 
tems, thus making it possible to provide a service in- 
dependent of data communication network and operator. 
The key control system responsible for the applica- 
35 tions need not know the teleoperator' s keys, which are 
used for user identification in basic mobile communi- 
cation services in a manner known in itself. Key cont- 
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rol for applications is implemented in a protected da- 
tabase, from which application-specific services uti- 
lising the SIM card and requiring a high level of data 
security can be activated and closed. 
5 As compared with prior art, the invention has 

the advantage that the procedure allows local identi- 
fication of the user of services requiring a high le- 
vel of data security by all service providers in the 
networks of different operators as well as a centra- 

10 lised implementation of key control. 

Moreover, the procedure of the invention al- 
lows control and billing of user-specific payments and 
licenses for different applications. 

In an embodiment of the invention, the vali- 

15 dity of the user's right of access to the application 
stored in the subscriber identity module is verified 
periodically. If it is established that the access 
right has expired, then, using an appropriate key, the 
application in the subscriber identity module can be 

20 closed. 

In conjunction with the activation of the 
application stored in the subscriber identity module, 
the subscriber identity module is sent a message con- 
cerning the opening of the application, said message 

25 containing the application key k(n) to be used in the 
application. In the application control server, the 
application key is attached to the unique identifier 
corresponding to the subscriber identity module. Based 
on the key list, the right of access to the applicati- 

30 on is preferably verified in the application control 
server and, if a valid access right exists, the spe- 
cial data needed in the application, e.g. service 
description and application-specific user interface 

codes, are sent. 
35 m an embodiment of the present invention, 

all messages between the application control server 
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and the terminal device are encrypted regardless of 
the content of the message. 

In the following, the invention will be 
described by the aid of embodiment examples by refer- 
5 ring to the attached drawing, in which 

Fig. 1 presents a preferred data communicati- 
on system in which the procedure of the invention can 

be used; and 

Fig. 2 presents a block diagram of a prefer- 

10 red embodiment of the procedure of the invention. 

Fig. 1 presents an example of a data communi- 
cation system in which the procedure of the invention 
can be implemented. The data communication system 
shown in Fig. 1 comprises a GSM telephone network 4. 

15 Connected to the GSM network is a mobile station MS 
compatible with the network and provided with a 
subscriber identity module SIM. In conjunction with 
manufacture, the subscriber identity module SIM has 
been initialised using a security module in a manner 

20 known in itself; reference is made to patent specifi- 
cation WO 90/1184 9. Moreover, the subscriber identity 
module comprises an activating and closing module 2, 
3, which are used for the activation and closing of 
the application. 

25 • The service provider's application control 

server 1 is connected to the GSM network and to the 
service provider's equipment e.g. via a telephone net- 
work PSTN/ISDN. The connection between the application 
control server 1 and the GSM telephone MS is set up in 

3 0 accordance with the normal GSM practice either as a 
voice, data or short message connection. Let it be 
further stated that the telephone network 4 may be any 
other data communication network, such as a CDMA net- 
work, PCN network, UMTS network or equivalent, and 
35 that, correspondingly, the terminal device may be any 
other terminal device compatible with the data commu- 
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nication network to which a subscriber identity module 
or an equivalent device can be connected. 

Fig. 2 presents a block diagram illustrating 
the various stages of control of an application in the 
5 subscriber identity module, carried out by the appli- 
cation control server. The example used here is a bank 
application in which a bank gives its customer the 
right to use its bank services using a GSM telephone 
MS and an application stored in a subscriber identity 
10 module SIM connected to it. 

The customer is in possession of an identi- 
fier (UID) corresponding to the SIM card. The key k(n) 
corresponding to the identifier (UID) and the applica- 
tion (n) as well as the keys KA1 and KA2 have been 
15 stored in an application-specific key control system 
in the application control server 1. The customer ma- 
kes an agreement with the bank about the use of a mo- 
bile station based bank service, whereupon the bank 
sends the UID corresponding to the customer's SIM card 
20 to an application-specific card control system. After 
this, the application-specific card control system 
sends an opening message to the SIM card corresponding 
to the UID. The opening message contains the custo- 
mer's user key k(n) which is needed for the bank ser- 
25 vice and which is to be used later to activate the 
application stored on the card, and a possible regis- 
tering message. Using the key k(n) sent by the card 
control system, the customer can set the mobile stati- 
on to bank mode and send and acknowledgement of the 
3 0 registering message to the card control system. The 
key k(n) can also be sent in an encrypted form, which 
is decrypted by a decryption programme on the SIM 
card. The customer now has a licensed key that gives 
him/her the right to use the bank service concerned. 
The key is useless to outsiders because it is card- 
specific and will only activate an application stored 
on the particular card. 



35 
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In conjunction with the activation of the 
card, the customer may be billed for the license fees 
if the customer acknowledges the registration. The 
application-specific card control system sends to the 
5 bank the necessary identifiers, including the identi- 
fier KA(1) needed for the activation of a bank servi- 
ce. In the bank, the customer and application specific 
identifier sent by the card control system is associa- 
ted with the respective bank service. Using the appli- 
10 cation-specific activation code KA(1), the bank can 
load the service menus and forms needed in the bank 
service as well as the identifiers needed in the use 
of the service onto the customer's card, whereupon the 
bank service is available to the customer. The bank- 
15 specific service menus and service forms are transmit- 
ted to the mobile station by the "dynamic menu load" 
method or to the SIM card by the OTA (Over The Air) 
method in a manner known in itself. If the code KA(1) 
is correct, the activating/closing module on the card 
20 will accept the loading and the card will be activated 
for the bank service. 

Finally, the process described above will be 
presented in greater detail by referring to the block 
diagram in Fig. 2. At a bank, the customer makes an 
25 agreement about utilising a mobile station MS and lin- 
king it to a bank service, block 21. At the same time, 
the unique identifier (UID) of the customer's subscri- 
ber identity module is linked to the service as 
described above. In the agreement, the customer ac- 
30 cepts the license conditions required for the use of 
the application. Via the application control server 1, 
the bank sends the unique identifier (UID) of the 
subscriber identity module for the activation of the 
application in the subscriber identity module to the 
35 application-specific subscriber identity module cont- 
rol system, block 22. The subscriber identity module 
control system initialises the subscriber identity mo- 



WO 99/01848 



8 



PCTVFI98/00522 



dule SIM by sending a registering confirmation to the 
customer's mobile station, block 23. At the same time, 
the customer receives a key k(n) that the customer can 
use to switch his/her mobile station and the associa- 
5 ted subscriber identity module into bank mode and sub- 
sequently to open the service. 

In block 24, the customer enters the key k(n) 
into the mobile station and accepts the registration 
by acknowledging the registering message sent by the 
10 subscriber identity module control system. After this, 
the subscriber identity module control system sends 
the keys needed for the use of the application to the 
bank so that the application-specific menus and custo- 
mer identifiers can be loaded into the customer's mo- 
15 bile station and subscriber identity module, block 25. 
The customer's mobile station has now been opened and 
activated and is ready for' use in the bank service, 
block 26. If the customer misuses the system or other- 
wise fails to observe the terms of agreement, then the 
20 subscriber identity module control system can close 
the application in the subscriber identity module. The 
application is closed using a closing message contai- 
ning a closing key. 

If the customer fails to make the payments to 
25 be subsequently charged for the use of the applicati- 
on, e.g. the annual license fee to be paid for the 
service, use of the application can be prevented by 
sending the subscriber identity module SIM a closing 
message from the key control system. The encrypted 
30 closing message contains a closing key by which the 
application in the subscriber identity module will re- 
cognise that the sender of the message has the right 
to close the application stored on the card. Similar- 
ly, if the mobile station together with the subscriber 
35 identity module is lost, the card or application can 
be closed. The application can be opened and activated 
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again in a corresponding manner from the application- 
specific key control system. 

The invention is not restricted to the 
examples of its embodiments described above, but many 
variations are possible within the scope of the inven- 
tive idea defined by the claims. 
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CLAIMS 

1. Procedure for the control of applications 
stored in a subscriber identity module in a data com- 
munication system comprising a data communication net- 

5 work (4), a terminal device (MS) connected to the data 
communication network, a subscriber identity module 
(SIM) connected to the terminal device and containing 
a stored application that makes use of the data commu- 
nication network and is used by means of the terminal 
10 device, and an application control server (1) connec- 
ted to the data communication network, charac- 
terised in that 

a key list comprising one or more applicati- 
on-specific keys is stored in the subscriber identity 

15 module (SIM); 

a key list corresponding to the key list sto- 
red in the subscriber identity module is stored in the 
application control server; and 

the application stored in the subscriber 
20 identity module is activated and/or closed using the 
key list. 

2. Procedure as defined in claim 1, cha- 
racterised in that a module (2, 3) for activa- 
ting and/or closing the application is stored in the 

25 subscriber identity module (SIM) . 

3. Procedure as defined in claim 1 or 2, 
characterised in that a check is carried out 
periodically to determine whether a valid right of ac- 
cess to the application stored in the subscriber iden- 

30 tity module exists. 

4. Procedure as defined in any one of the 
preceding claims 1 - 3, characterised in 
that, in the application control server, the key list 
is linked to the subscriber identity module by using a 

35 unique identifier corresponding to it. 
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5. Procedure as defined in any one of the 
preceding claims 1 - 4, characterised in 
that, by means of the application control server (1), 

a message concerning the opening of the app- 
5 lication and containing an application key k(n) to be 
used in the application is sent to the subscriber 
identity module; and 

the application key is attached to the unique 
identifier corresponding to the subscriber identity 
10 module. 

6. Procedure as defined in any one of the 
preceding claims 1 - 5, characterised in 
that, via the application control server (1), 

the right of access to the application is ve- 
15 rified on the basis of the key list; and 

the special data needed in the application 
are sent if a valid access right exists. 

7 . Procedure as defined in any one of the 
preceding claims 1 - 6, characterised in 

20 that the messages between the application control ser- 
ver (1) and the terminal device (MS) are encrypted. 

8. Procedure as defined in any one of the 
preceding claims 1 - 7, characterised in 
that a telecommunication connection is set up between 

25 the terminal device (MS) and the subscriber identity 
module (SIM) connected to it on the one hand and the 
application control server (1) on the other hand via a 
telephone network, such as a mobile communication net- 
work. 

3 0 9. Procedure as defined in any one of the 

preceding claims 1 - 9, characterised in 
that the data communication network (4) is a GSM net- 
work and the terminal device (MS) is a GSM telephone. 
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